{ "id": "9fd6dec0-dcd4-4417-ab1a-1fc527c8219b", "created_at": "2026-04-06T00:22:00.790215Z", "updated_at": "2026-04-10T13:12:38.378177Z", "deleted_at": null, "sha1_hash": "3e853725eb94558b46eb8c13e331f4a4d4a34d99", "title": "Horns\u0026Hooves campaign delivers NetSupport RAT and BurnsRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1864380, "plain_text": "Horns\u0026Hooves campaign delivers NetSupport RAT and\r\nBurnsRAT\r\nBy Artem Ushkov\r\nPublished: 2024-12-02 · Archived: 2026-04-05 13:47:06 UTC\r\nRecent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive\r\ncontaining JScript scripts. The script files – disguised as requests and bids from potential customers or partners –\r\nbear names such as “Запрос цены и предложения от Индивидуального предпринимателя \u003cФИО\u003e на август\r\n2024. АРТ-КП0005272381.js” (Request for price and proposal from sole trader \u003cname\u003e for August 2024. ART-KP0005272381.js), “Запрос предложений и цен от общества с ограниченной ответственностью\r\n\u003cпредприятие\u003e на сентябрь 2024. отэк-мн0008522309.js” (Request for proposals and prices from LLC\r\n\u003ccompany\u003e for September 2024. Otek-mn0008522309.js), and the like.\r\nExamples of malicious emails\r\nAccording to our telemetry, the campaign began around March 2023 and hit more than a thousand private users,\r\nretailers and service businesses located primarily in Russia. We dubbed this campaign Horns\u0026Hooves, after a\r\nfictitious organization set up by swindlers in the Soviet comedy novel The Golden Calf.\r\nStatistics\r\nNumber of users who encountered the malicious script, by month, March 2023 — September 2024 (download)\r\nMalicious scripts\r\nDuring the campaign, the threat actors made some major changes to the script, while keeping the same distribution\r\nmethod. In almost all cases, a JS script named “Заявка на закупку…” (“Purchase request…”), “Запрос цен…”\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 1 of 23\n\n(“Request for quote…”), or similar was sent in a ZIP archive. Far more rarely, the scripts were called “Акт\r\nсверки…” (“Reconciliation statement…”), “Заявление на возврат…” (“Request for refund…”), “Досудебная\r\nпретензия…” (“Letter of claim…”) or just “Претензия…” (“Claim…”). The earliest versions that we\r\nencountered in April and May used scripts with the HTA extension instead of JS scripts.\r\nFor believability, besides the script, the attackers sometimes added to the archive various documents related to the\r\norganization or individual being impersonated. For example, an archive attached to a booking cancellation email\r\ncontained a PDF file with a copy of a passport; while price request emails had extracts from the Russian Unified\r\nState Register of Legal Entities, certificates of tax registration and company cards in attachment. Below, we\r\nexamine several versions of the scripts used in this campaign.\r\nTypical archive contents\r\nVersion A (HTA)\r\nSome of the first sample scripts we saw in April and early May 2023 were relatively small in size. As an example,\r\nwe analyzed a sample with the MD5 hash sum 327a1f32572b4606ae19085769042e51.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 2 of 23\n\nFirst version of the malicious script in attachment\r\nWhen run, the script downloads a decoy document from https://www.linkpicture[.]com/q/1_1657.png in the form\r\nof a PNG image, which it then shows to the user. In this case, the image looks like a screenshot of a table listing\r\nitems for purchase. It may have been taken from a previously infected machine.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 3 of 23\n\nDecoy document in PNG format\r\nNote that PNG decoy documents are rather unconventional. Usually, bids and requests that are used to distract\r\nuser attention from malware are distributed in office formats such as DOCX, XSLX, PDF and others. The most\r\nlikely reason for using PNG is that in the very first versions the attackers hid the payload at the end of the bait file.\r\nPNG images make convenient containers because they continue to display correctly even after the payload is\r\nadded.\r\nTo download the decoy document, the attackers use the curl utility, which comes preinstalled on devices with\r\nWindows 10 (build 17063 and higher). Together with the document, using another built-in Windows utility,\r\nbitsadmin, the script downloads and runs the BAT file bat_install.bat to install the main payload. The script also\r\nmakes use of bitsadmin for managing file transfer tasks.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 4 of 23\n\nSnippet of the BAT script that installs the payload\r\nUsing bitsadmin, the BAT script first downloads from the attackers’ address hxxps://golden-scalen[.]com/files/,\r\nand then installs, the following files:\r\nFile name Description\r\nAudioCapture.dll NetSupport Audio Capture\r\nclient32.exe NetSupport client named CrossTec\r\nclient32.ini Configuration file\r\nHTCTL32.DLL NetSupport utility for HTTP data transfer\r\nmsvcr100.dll Microsoft C runtime library\r\nnskbfltr.inf Windows Driver Frameworks configuration file for installing additional drivers\r\nNSM.LIC NetSupport license file\r\nnsm_vpro.ini Additional NSM settings\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 5 of 23\n\npcicapi.dll pcicapi file from the NetSupport Manager package\r\nPCICHEK.DLL CrossTec VueAlert PCIChek\r\nPCICL32.DLL NetSupport client as a DLL\r\nremcmdstub.exe CrossTec remote command line\r\nTCCTL32.DLL NetSupport utility for TCP data transfer\r\nTo download the required file, bat_install.bat appends its name to the end of the URL. The script saves the\r\ndownloaded files to the user directory %APPDATA%\\VCRuntineSync.\r\nThe payload is the legitimate NetSupport Manager (NSM) tool for remote PC management. This software is often\r\nused in corporate environments for technical support, employee training and workstation management. However,\r\ndue to its capabilities, it is regularly exploited by all kinds of cybergangs. The versions and modifications of this\r\nsoftware seen in cyberattacks and providing a stealth run mode have been dubbed NetSupport RAT.\r\nMost often, NetSupport RAT infiltrates the system through scam websites and fake browser updates. In December\r\n2023, we posted a report on one such campaign that installed NetSupport RAT under the guise of a browser update\r\nafter the user visited a compromised website.\r\nAfter the file download, the bat_install.bat script runs the client32.exe file and adds it to the startup list.\r\nstart /B cmd /C \"start client32.exe \u0026 exit\"\r\nreg add \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v\r\n\"VCRuntineSync\" /t REG_SZ /d '%APPDATA%\\VCRuntineSync\\client32.exe' /f\r\nAnd, in case the HTA script failed, the BAT script attempts to download and run the bait file.\r\nWhen NetSupport RAT is run, it establishes a connection to one of the attackers’ servers set in the client32.ini\r\nconfiguration file: the main one, xoomep1[.]com:1935, or the backup one, xoomep2[.]com:1935.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 6 of 23\n\nThe client32.ini configuration file\r\nVersion A infection chain\r\nVersion B (JS + NSM)\r\nA bit later, in mid-May 2023, there appeared versions of the script mimicking legitimate JS files.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 7 of 23\n\nJS version of the malicious script in attachment\r\nThe code of this script contains a comment from the publicly available JavaScript library Next.js with license and\r\ncopyright information. This way, the attackers try to make the code appear legitimate. We also see how they added\r\nmalicious code to the middle of the file that a cursory inspection would miss, but still got executed at runtime.\r\nIn terms of functionality, the JS versions of the script are virtually the same as the HTA ones. They too show a\r\ndecoy document and install NetSupport RAT. But there are some differences. For example, the script with the hash\r\nsum b3bde532cfbb95c567c069ca5f90652c, which we found under the filename ” досудебная претензия от\r\n18.05.2023 №5 от компании ооо \u003cНАЗВАНИЕ_КОМПАНИИ\u003e.js ” (“Letter of claim No. 5, dated May 18,\r\n2023, from LLC \u003ccompany\u003e.js”), first downloads an intermediate JS script from the address\r\nhxxp://188[.]227[.]58[.]243/pretencia/www.php.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 8 of 23\n\nSecond script contents\r\nThis second script downloads two more files: the decoy document zayavka.txt and the NetSupport RAT installer\r\ninstaller_bat_vbs.bat. Like PNG images, decoy documents in TXT format are not standard practice. And with this\r\nversion, the files contain generated text in Russian that is meaningless and repeated several times, using different\r\ncharacters that look vaguely Cyrillic. They would appear to be the first tests of the new bait file format.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 9 of 23\n\nDecoy document with meaningless text\r\nAfter downloading the files, the www.php script opens the text document and runs the NetSupport RAT installer,\r\nwhich it saves with the name BLD.bat. To download the NetSupport components, the script uses the same path as\r\nversion A: hxxps://golden-scalen[.]com/files/. Unlike the previous version, this script downloads the files to the\r\n%APPDATA%\\EdgeCriticalUpdateService directory. Correspondingly, the autorun registry key used by this\r\nversion is named EdgeCriticalUpdateService. Also, the BLD.bat file contains no redundant code for re-downloading the bait file.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 10 of 23\n\nVersion B infection chain\r\nVersion C (JS + BurnsRAT)\r\nAnother interesting sample we found in mid-May had the name ” заявка на закупки №113 от компании\r\n\u003cНАЗВАНИЕ_КОМПАНИИ\u003e на май 2023 года.js ” (“procurement request No. 113 from \u003ccompany\u003e for May\r\n2023.js”) and the MD5 hash sum 5f4284115ab9641f1532bb64b650aad6.\r\nFully obfuscated version of the malicious script\r\nHere, we also see a comment with license and copyright information about the Next.js library, but there is nothing\r\nleft of the library source code. The malicious code itself is more heavily obfuscated, and the link to the\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 11 of 23\n\nintermediate script hxxp://188[.]227[.]106[.]124/test/js/www.php is invisible to the naked eye.\r\nSecond script contents\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 12 of 23\n\nIn this version, the intermediate script downloads three more files: the decoy document zayavka.txt, the payload\r\nBLD.exe, and the auxiliary script 1.js. The decoy document in this instance looks more meaningful, and is likely\r\nthe result of a screenshot-to-text conversion.\r\nDecoy document\r\nHaving loaded the files, the www.php script opens the decoy document and runs the 1.js file, which in turn\r\nlaunches the BLD.exe file.\r\nWhat’s most striking about this instance is the payload.\r\nBLD.exe (MD5: 20014b80a139ed256621b9c0ac4d7076) is an NSIS installer that creates a Silverlight.7z archive\r\nin the %PROGRAMDATA%\\Usoris\\LastVersion folder and extracts several files from it:\r\nFile name Description\r\nlibeay32.dll OpenSSL shared library\r\nmsimg32.dll Malicious loader\r\nsettings.dat RMS configuration file\r\nSilverlight.Configuration.exe Legitimate Microsoft Silverlight Configuration Utility\r\nssleay32.dll OpenSSL shared library\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 13 of 23\n\nw32.dat Archive with RDP Wrapper x32\r\nw64.dat Archive with RDP Wrapper x64\r\nWUDFHost.exe Remote Manipulator System\r\nThe next step is to run the legitimate Silverlight.Configuration.exe file. When launched, it loads the dynamic\r\nlibraries (DLLs) that the program needs, using a relative path. This opens the door to a DLL side-loading attack:\r\nthe malicious msimg32.dll library and the utility are placed in the same directory, which results in the malicious\r\nprogram being loaded and gaining control instead of the system library. Although the backdoor supports\r\ncommands for remotely downloading and running files, as well as various methods of executing commands via\r\nthe Windows command line, the main task of this component is to start the Remote Manipulator System (RMS) as\r\na service and send the RMS session ID to the attackers’ server.\r\nsvchost.exe -k \"WUDFHostController\" -svcr \"WUDFHost.exe\"\r\nOn top of that, msimg32.dll sends information about the computer to the server hxxp://193[.]42[.]32[.]138/api/.\r\nOutgoing request to the server\r\nThe sent data is encrypted using the RC4 algorithm with the Host value as the key, which in this case is the IP\r\naddress of the server, 193.42.32[.]138.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 14 of 23\n\nSystem information sent by the library\r\nRMS is an application that allows users to interact with remote systems over a network. It provides the ability to\r\nmanage the desktop, execute commands, transfer files and exchange data between devices located in different\r\ngeographic locations. Typically, RMS uses encryption technologies to protect data and can run on a variety of\r\noperating systems. The RMS build distributed by the attackers is also called BurnsRAT.\r\nRMS has support for connecting to a remote computer via Remote Desktop Protocol (RDP), so besides the\r\napplication itself and files for running it, the NSIS installer saves to the device the w32.dat and w64.dat archives,\r\nwhich contain a set of libraries created using RDP Wrapper to activate additional RDP features.\r\nRDP Wrapper is a program for activating remote desktop features in Windows versions that do not support them\r\nby default, such as Windows Home; it also allows multiple users to connect to one system simultaneously.\r\nAt its core, RMS is a close analog of NetSupport, but the RMS payload did not gain traction.\r\nBurnsRAT infection chain\r\nVersion D (JS + Hosted NSM ZIP)\r\nA few more characteristic changes in the scripts caught our eye in late May 2023. Let’s examine them using a file\r\nnamed “purchase request from LLC \u003ccompany\u003e No. 3.js” with hash sum 63647520b36144e31fb8ad7dd10e3d21\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 15 of 23\n\nas an example. The initial script itself is very similar to version B and differs only in the link to the second script,\r\nhxxp://45[.]133[.]16[.]135/zayavka/www.php. But unlike version B, the BAT file for installing NetSupport RAT\r\nhas been completely rewritten.\r\nBAT script contents\r\nIn this version, it is located at hxxp://45[.]133[.]16[.]135/zayavka/666.bat, and to install NetSupport it downloads\r\nan intermediate PowerShell script hxxp://45[.]133[.]16[.]135/zayavka/1.yay, which in turn downloads and\r\nunpacks the NetSupport RAT archive from hxxp://golden-scalen[.]com/ngg_cl.zip. The contents of the archive are\r\nidentical in every way to the NetSupport version installed by the version B script.\r\nPowerShell script contents\r\nVersion D infection chain\r\nVersion E (JS + Embedded NSM ZIP)\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 16 of 23\n\nThe next notable, but less fundamental changes appeared in June 2023. Instead of downloading the encoded ZIP\r\narchive with NetSupport RAT, the attackers began placing it inside the script. This caused the script to increase in\r\nsize. In addition, the comment in the file header was replaced with one from the Backbone.js library.\r\nSnippet of the third version of the script\r\nStarting around September 2023, the NetSupport RAT files were split into two archives; and since February 2024,\r\ninstead of text bait files, the attackers have been striving for greater plausibility by using PDF documents which\r\nwere also contained in the script code.\r\nVersion E decoy document\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 17 of 23\n\nVersion E infection chain\r\nAttribution\r\nAll NetSupport RAT builds detected in the campaign contained one of three license files with the following\r\nparameters:\r\nFile 1\r\nlicensee=HANEYMANEY\r\nserial_no=NSM385736\r\nFile 2\r\nlicensee=DCVTTTUUEEW23\r\nserial_no=NSM896597\r\nFile 3\r\nlicensee=DERTERT\r\nserial_no=NSM386098\r\nLicense files\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 18 of 23\n\nThese license files were also used in various other unrelated campaigns. For instance, they’ve been seen in\r\nmailings targeting users from other countries, such as Germany. And they’ve cropped up in NetSupport RAT\r\nbuilds linked to the TA569 group (also known as Mustard Tempest or Gold Prelude). Note that licenses belonging\r\nto HANEYMANEY and DCVTTTUUEEW23 featured in the Horns\u0026Hooves campaign for a short span before\r\nbeing completely dislodged by a license issued in the name of DERTERT three months later.\r\nHANEYMANEY DCVTTTUUEEW23 DERTERT\r\nDate of creation in the comment in the file 2022.07.17 2014.03.29 2017.07.26\r\nDate from the file attributes in the archive 2022.07.17 2023.03.29 2022.07.26\r\nObserved as part of the campaign 2023.04.17 2023.05.28 2023.07.09\r\nThe fact that Horns\u0026Hooves uses the same licenses as TA569 led us to suspect a possible connection between the\r\ntwo. That said, because license files alone are insufficient to attribute malicious activity to TA569, we decided to\r\nlook for other similarities. And so we compared the various configuration files that featured in the Horns\u0026Hooves\r\ncampaign and those used by TA569 – and found them to be near identical. As an example, let’s consider the\r\nHorns\u0026Hooves configuration file (edfb8d26fa34436f2e92d5be1cb5901b) and the known configuration file of the\r\nTA569 group (67677c815070ca2e3ebd57a6adb58d2e).\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 19 of 23\n\nComparing the Horns\u0026Hooves and TA569 configuration files\r\nAs we can see, everything matches except the domains and ports. The Gateway Security Key (GSK) field\r\nwarrants special attention. The fact that the values match indicates that the attackers use the same security key to\r\naccess the NetSupport client. And this means that the C2 operators in both cases most likely belong to TA569.\r\nWe checked if the key GSK=GF\u003cMABEF9G?ABBEDHG:H had been seen in other campaigns that could not be\r\nattributed to either Horns\u0026Hooves or TA569, and found none. Besides this key, we encountered another value in\r\nthe Horns\u0026Hooves campaign, GSK=FM:N?JDC9A=DAEFG9H\u003cL\u003eM; and in later versions there appeared one\r\nmore version of the key, which was set with the parameter SecurityKey2=dgAAAI4dtZzXVyBIGlsJn859nBYA.\r\nWhat happens after RMS or NetSupport RAT is installed\r\nThe installation of BurnsRAT or NetSupport RAT is only an intermediate link in the attack chain, giving remote\r\naccess to the computer. In a number of cases, we observed attempts to use NetSupport RAT to install stealers such\r\nas Rhadamanthys and Meduza. However, TA569 generally sells access to infected computers to other groups, for\r\nexample, to install ransomware Trojans.\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 20 of 23\n\nBut it’s possible that the attackers may collect various documents and email addresses to further develop the\r\ncampaign, since the earliest scripts distributed Rhadamanthys instead of NetSupport RAT.\r\nTakeaways\r\nThis post has looked in detail at several ways of delivering and using legitimate software for malicious purposes\r\nas part of a sustained campaign. Over the course of the campaign, the attackers changed some of their tactics and\r\nexperimented with new tools. For instance, they gradually moved away from using additional servers to deliver\r\nthe payload, leaving only two as a result, which the remote administration software itself uses. Also, the attackers\r\ninitially weaponized BurnsRAT, but then abandoned it and placed all the program code for installing and running\r\nNetSupport RAT in a single script. They probably found this approach more efficient in terms of both\r\ndevelopment and difficulty of detection.\r\nWe were able to determine with a high degree of certainty that the campaign is linked to the TA569 group, which\r\ngains access to organizations and then sells it to other cybercriminals on the dark web. Depending on whose hands\r\nthis access falls into, the consequences for victim companies can range from data theft to encryption and damage\r\nto systems. We also observed attempts to install stealers on some infected machines.\r\nIndicators of compromise\r\nMalicious file hashes\r\nVersion A\r\n327a1f32572b4606ae19085769042e51 — HTA\r\n34eb579dc89e1dc0507ad646a8dce8be — bat_install.bat\r\nVersion B\r\nb3bde532cfbb95c567c069ca5f90652c — JS\r\n29362dcdb6c57dde0c112e25c9706dcf — www.php\r\n882f2de65605dd90ee17fb65a01fe2c7 — installet_bat_vbs.bat\r\nVersion C\r\n5f4284115ab9641f1532bb64b650aad6 — JS\r\n0fea857a35b972899e8f1f60ee58e450 — www.php\r\n20014b80a139ed256621b9c0ac4d7076 — BLD.exe\r\n7f0ee078c8902f12d6d9e300dabf6aed — 1.js\r\nVersion D\r\n63647520b36144e31fb8ad7dd10e3d21 — JS\r\n8096e00aa7877b863ef5a437f55c8277 — www.php\r\n12ab1bc0989b32c55743df9b8c46af5a — 666.bat\r\n50dc5faa02227c0aefa8b54c8e5b2b0d — 1.yay\r\ne760a5ce807c756451072376f88760d7 — ngg_cl.zip\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 21 of 23\n\nVersion E\r\nb03c67239e1e774077995bac331a8950 — 2023.07\r\nba69cc9f087411995c64ca0d96da7b69 — 2023.09\r\n051552b4da740a3af5bd5643b1dc239a — 2024.02\r\nBurnsRAT C\u0026C\r\nhxxp://193[.]42[.]32[.]138/api/\r\nhxxp://87[.]251[.]67[.]51/api/\r\nLinks, version A\r\nhxxp://31[.]44[.]4[.]40/test/bat_install.bat\r\nhxxps://golden-scalen[.]com/files/*\r\nLinks, version B\r\nhxxp://188[.]227[.]58[.]243/pretencia/www.php\r\nhxxp://188[.]227[.]58[.]243/zayavka/www.php\r\nhxxp://188[.]227[.]58[.]243/pretencia/installet_bat_vbs.bat\r\nhxxps://golden-scalen[.]com/files/*\r\nLinks, version C\r\nhxxp://188[.]227[.]106[.]124/test/js/www.php\r\nhxxp://188[.]227[.]106[.]124/test/js/BLD.exe\r\nhxxp://188[.]227[.]106[.]124/test/js/1.js\r\nLinks, version D\r\nhxxp://45[.]133[.]16[.]135/zayavka/www.php\r\nhxxp://45[.]133[.]16[.]135/zayavka/666.bat\r\nhxxp://45[.]133[.]16[.]135/zayavka/1.yay\r\nhxxp://golden-scalen[.]com/ngg_cl.zip\r\nClient32.ini for Horns\u0026Hooves\r\nedfb8d26fa34436f2e92d5be1cb5901b\r\n3e86f6fc7ed037f3c9560cc59aa7aacc\r\nae4d6812f5638d95a82b3fa3d4f92861\r\nClient32.ini known to belong to TA569\r\n67677c815070ca2e3ebd57a6adb58d2e\r\nNsm.lic\r\n17a78f50e32679f228c43823faabedfd — DERTERT\r\nb9956282a0fed076ed083892e498ac69 — DCVTTTUUEEW23\r\n1b41e64c60ca9dfadeb063cd822ab089 — HANEYMANEY\r\nNetSupport RAT C2 centers for Horns\u0026Hooves\r\nxoomep1[.]com\r\nxoomep2[.]com\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 22 of 23\n\nlabudanka1[.]com\r\nlabudanka2[.]com\r\ngribidi1[.]com\r\ngribidi2[.]com\r\nC2 centers known to be linked to TA569\r\nshetrn1[.]com\r\nshetrn2[.]com\r\nSource: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nhttps://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "report_names": [ "114740" ], "threat_actors": [ { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434920, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e853725eb94558b46eb8c13e331f4a4d4a34d99.pdf", "text": "https://archive.orkl.eu/3e853725eb94558b46eb8c13e331f4a4d4a34d99.txt", "img": "https://archive.orkl.eu/3e853725eb94558b46eb8c13e331f4a4d4a34d99.jpg" } }